3 Answers
3

Well, the general recommendation would probably be something along the lines of:

Put a firewall in front of your web server. Only allow the traffic you need to allow, and deny (drop or reject is largely a matter of preference) everything else. You have already done this, but there's more to it than just running firewall software.

Go over the software configuration with a fine-toothed comb. Especially consider anything related to file uploads, execution of code, and things like that.

Keep everything that is even potentially exposed to the Internet fully up to date. This includes the operating system, web server, anything served through it (remember that those PHP scripts that let you upload and view files are executable computer code that can have security-related bugs) and anything that those applications rely on (such as for example a database server).

Even in the best case, your setup will only ever be as secure as the least secure portion of whatever is accessible over the Internet. The instant you start accepting packets from the Internet rather than flat out blocking everything, there is always the risk that a bug in the operating system's TCP/IP stack, the software that handles the packets, or where the data coming in eventually ends up, could cause the computer to exhibit behavior other than that desired by you (A.K.A. a security breach of some kind).

As soon as a fix for a security-related problem becomes available, lots of eyes start going over it to see if they might be able to exploit what's been fixed for illicit purposes.

Any host connected to the Internet will see regular scans from various bots. Some are harmless; some are stupid enough to be essentially harmless; but some are actually potentially dangerous, and HTTP on port 80 is common enough that you should expect plenty of such traffic. That you don't have a host name pointing at your IP address doesn't change that fact. Which means that the web server and whatever is running on it will have to be able to deal with anything anyone can throw at it based on currently known security vulnerabilities in any web server software and version (since the attacker won't know exactly what you might be running).

If we assume that this is paradise and everything I have is bugless, Is there anything else that I need to do, or is my setup already 100% safe?
–
PacerierSep 9 '13 at 5:29

What do you mean by "software configuration", and also generally how do we be the first to know of any security updates?
–
PacerierSep 9 '13 at 5:30

Nothing is absolute, and software certainly is never totally free of bugs. Things that look innocous enough can turn out to have serious security implications once someone looks at them with such an eye. By software configuration I mean all the settings that you can adjust in the software. Things like how to serve various kinds of files (particularly, which are executed and which are served as-is?), listening ports and IPs, what information to expose in a publicly-facing way, logins and passwords, etc.
–
Michael KjörlingSep 9 '13 at 7:15

And you don't become the first to know of security updates, you just make sure to find out (and install them promptly) when everyone else does, so keep close tabs on the update manager of the OS and the release pages for any software not covered by it looking for fixes or service packs. Sign up for any relevant mailing lists if such exists to have notifications pushed to you, but don't rely 100% on them being timely (email can easily get delayed).
–
Michael KjörlingSep 9 '13 at 7:16

Denial of service attacks on your public computer. Possibly your whole home network depending on the setup.

If your static IP has a domain name, the WHOIS entry will have your personal contact details globally visible unless (for some registrars) you pay extra money for privacy.

Any IP ban or blacklist upon you or your service will be more effective since your IP doesn't change. You can be traced more consistently across time and services for the same reason, assuming no anonymous routing.

If your computer as server has to be on all the time, the opportunity to attack and maintain an attack is increased. If the computer is your personal computer with family photos, documents, password files, etc. then the breach doesn't need to penetrate further firewalls.

Suggestion:

To get the most benefit (and the most security) out of a home server, I suggest the computer that actually has the static IP is a headless mini computer.

This computer without a monitor or keyboard can act as the primary firewall and reverse proxy for your home network. It can be treated as the demilitarised zone (DMZ) of your home network and protect all the assets that are stored on normal private computers. Whether any part of the rest of your normal computer network is kept on 24/7 now depends on whether the web-server is hosted within the DMZ* or not (or both for two-tier web solutions).

The idea is that this public server is hardened and highly limited in what information and inward-bound authority it possesses; typically running its own much more secure operating system (Linux for example).

The cost of a headless mini computer/home server depends on how much performance and space you need for demilitarized services. On the low end you have Raspberry Pi of perhaps $200 up to beast boxes (minus video card) of $2000 or more. The low-end is better suited for routing & access control than content-rich Drupal sites, but here is an example of a Raspberry webserver.

* Technically I'm misusing the term DMZ somewhat; as a DMZ is a logical network boxed in by two or more routers/firewalls; like the bailey/killing ground of a castle keep. The home server would be both the inner firewall of the DMZ and an asset in the selfsame DMZ.

Denial of service - that's just as possible without a web server running, just do something that'll saturate the connection. A local firewall won't help against that because the traffic has already passed through your pipe to the Internet by the time it has a chance to act on it (by dropping the packets, say).
–
Michael KjörlingSep 8 '13 at 20:07

Privacy implications of a static IP with regards to whois - a valid concern, but not for the reasons you list, and not really a whois problem. The IP address will probably still just show the ISP's contact details, unless the OP has a full netblock assigned from them, and even then it might not. Without special arrangements any PTR on the IP will generally simply lead back to the ISP so not expose any further personal details of the customer/subscriber.
–
Michael KjörlingSep 8 '13 at 20:10

Offering the HTTP service means that any vulnerability in that service becomes an entry point for attackers. So be sure to manage this service with all due diligence: apply security fixes published by the vendor, as promptly as possible. This is for both the HTTP server software itself (say, Apache) and the "site code" (a hole in the PHP code is still a hole). Apart from that, this server won't add much to your (in)security, on the technical side of things.

However, a publicly available HTTP server implies higher exposure. Most people evade trouble not by running fully patched software, but by being commoners. People from home doing Web surfing like normal people. Uninteresting schmucks. There are so many of those, perhaps billions, that nobody really gets motivated into hacking into their machines. Sure, there is a lot of automatic hacking going on; those botnets won't feed themselves ! But no real threat from a motivated, intelligent attacker. By running a Web server, you become uncommon. You may attract interest. People who run Web servers at home may have interesting data to provide; at least they made an effort to provide a service for other people.

Basically, offering such a service tends to remove a very powerful protection layer, i.e. anonymity (as in: "does not show up on radar among the masses"). Evading attacks by simply looking "normal" is, conceptually, a very unsatisfying way to protect your information assets, but it works very well; and your HTTP server will strip you from that.

An extra source of worry is that your home network is "protected" against intrusions by the combined forces of your cable/ADSL modem (provided by your ISP) and, possibly, some sort of home (WiFi) router. These devices use software which is rarely updated, and thus tends to have many security holes. You don't really want to attract attention to that.

I don't want anonymity, I want real firepower to fight off attacks. What's the best setup I can have to defend myself against DOS attacks?
–
PacerierSep 9 '13 at 16:16

DoS attacks works by exhausting your resources. Your scarcest resource is outbound bandwidth: that's what home Internet accesses lack most. But a Web server uses exactly that. The best and about only defence against DoS is to have more muscle, i.e. more output bandwidth than the input bandwidth of the attacker. This will be hard to do with a home Internet access. I recommend renting a server. VPS are not expensive. If you really want to do it from your home, you should apply some QoS so that DoS don't kill your Internet access altogether.
–
Tom LeekSep 9 '13 at 17:05

1

Speaking of which, I invite you to read the details of the contract from your ISP: they may forbid "server-like" usage (many ISP do that). A usual consequence of a DoS is to attract attention from the network provider, and your ISP may then elect to terminate the service they provide to you (and they could do that lawfully). This might be your biggest practical risk.
–
Tom LeekSep 9 '13 at 17:07

hmm but my router doesn't seem to have it's port forwarding disabled... surely the ISP would disable that if they do not want people to host servers. I don't want to rent a server and have everything already done. I would rather do the setup myself and learn as I go.
–
PacerierSep 9 '13 at 18:02